Update the stage descriptions and instructions

git-svn-id: http://webgoat.googlecode.com/svn/trunk@179 4033779f-a91e-0410-96ef-6bf7bf53c507

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/CrossSiteScripting/CrossSiteScripting.java

@@ -156,37 +156,38 @@ public class CrossSiteScripting extends GoatHillsFinancial
 		if (STAGE1.equals(stage))
 	    {
 		    instructions = "Execute a Stored Cross Site Scripting (XSS) attack.<br>"
-			    + "For this exercise, your mission is to cause the application to serve a script of your making "
-			    + " to some other user.";
+			    + "As 'Tom', execute a Stored XSS attack against the Street field on the Edit Profile page.  "
+			    + "Verify that 'Jerry' is affected by the attack.";
 	    }
 		else if (STAGE2.equals(stage))
 		{
 		    instructions = "Block Stored XSS using Input Validation.<br>"
-			    + "You will modify the application to perform input validation on the vulnerable input field "
-			    + "you just exploited.";
+			    + "Implement a fix to block the stored XSS before it can be written to the database. "
+			    + "Repeat stage 1 as 'Eric' with 'David' as the manager.  Verify that 'David' is not affected by the attack.";
 		}
 		else if (STAGE3.equals(stage))
 		{
 		    instructions = "Execute a previously Stored Cross Site Scripting (XSS) attack.<br>"
-			    + "The application is still vulnerable to scripts in the database.  Trigger a pre-stored "
-			    + "script by logging in as employee 'David' and viewing Bruce's profile.";
+			    + "The 'Bruce' employee profile is pre-loaded with a stored XSS attack. "
+			    + "Verify that 'David' is affected by the attack even though the fix from stage 2 is in place.";
 		}
 		else if (STAGE4.equals(stage))
 		{
 		    instructions = "Block Stored XSS using Output Encoding.<br>"
-			    + "Encode data served from the database to the client so that any scripts are rendered harmless.";
+			    + "Implement a fix to block XSS after it is read from the database. "
+			    + "Repeat stage 3. Verify that 'David' is not affected by Bruce's profile attack.";
 		}
 		else if (STAGE5.equals(stage))
 		{
 		    instructions = "Execute a Reflected XSS attack.<br>"
-			    + "Your goal here is to craft a link containing a script which the application will "
-			    + "serve right back to any client that activates the link.";
+			    + "Use a vulnerability on the Search Staff page to craft a URL containing a reflected XSS attack.  "
+			    + "Verify that another employee using the link is affected by the attack.";
 		}
 		else if (STAGE6.equals(stage))
 		{
 		    instructions = "Block Reflected XSS using Input Validation.<br>"
-			    + "Use the input validation techniques learned ealier in this lesson to close the vulnerability "
-			    + "you just exploited.";
+			    + "Implement a fix to block this reflected XSS attack. "
+			    + "Repeat step 5.  Verify that the attack URL is no longer effective.";
 	    }
 	}
 

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/RoleBasedAccessControl/RoleBasedAccessControl.java

@@ -140,29 +140,26 @@ public class RoleBasedAccessControl extends GoatHillsFinancial
 		String stage = getStage(s);
 		if (STAGE1.equals(stage))
 	    {
-		    instructions = "Breaking functional access control.<br>"
-			    + "You should be able to login as a regular employee and delete another user's employee "
-			    + "profile, even though that is supposed to be an HR-only function.";
+		    instructions = "Bypass Presentational Layer Access Control.<br>"
+			    + "As regular employee 'Tom', exploit weak access control to use the Delete function from the Staff List page.  "
+			    + "Verify that Tom's profile can be deleted.";
 	    }
 		else if (STAGE2.equals(stage))
 		{
-		    instructions = "Implementing access control in the Business Layer<br>"
-			    + "Access control has already been implemented in the Presentation Layer, but as we have just "
-			    + "seen, this is not enough.  Implement access control in the Businesss Layer to verify "
-			    + "authorization to use the Delete function before actually executing it.";
+		    instructions = "Add Business Layer Access Control.<br>"
+			    + "Implement a fix to deny unauthorized access to the Delete function. "
+			    + "Repeat stage 1.  Verify that access to Delete is properly denied.";
 		}
 		else if (STAGE3.equals(stage))
 		{
-		    instructions = "Breaking data access control.<br>"
-			    + "Data Layer access control is being already done on the staff list, but it has not been "
-			    + "globally implemented.  Take advantage of this to login as a regular employee and view the "
-			    + "CEO's employee profile.";
+		    instructions = "Breaking Data Layer Access Control.<br>"
+			    + "As regular employee 'Tom', exploit weak access control to View another employee's profile. Verify the access.";
 		}
 		else if (STAGE4.equals(stage))
 		{
-		    instructions = "Implementing access control in the Data Layer.<br>"
-			    + "Implement Data Layer access control to prevent unauthorized (and potentially career threatening) "
-			    + "access to employee personal data.";
+		    instructions = "Add Data Layer Access Control.<br>"
+			    + "Implement a fix to deny unauthorized access to this data. "
+			    + "Repeat stage 3.  Verify that access to other employee's profiles is properly denied.";
 	    }
 	}
 

webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SQLInjection/SQLInjection.java

@@ -149,29 +149,26 @@ public class SQLInjection extends GoatHillsFinancial
 		if (STAGE1.equals(stage))
 	    {
 		    instructions = "Use String SQL Injection to bypass authentication. "
-			    + "The goal here is to login as the user "
-			    + PRIZE_EMPLOYEE_NAME
-			    + ", who is in the Admin group.  "
-			    + "You do not have the password, but the form is SQL injectable.";
+			    + "Use SQL injection to log in as the boss ('Neville') without using the correct password.  "
+			    + "Verify that Neville’s profile can be viewed and that all functions are available (including Search, Create, and Delete).";
 	    }
 		else if (STAGE2.equals(stage))
 		{
-		    instructions = "Use a parameterized query.<br>"
-			    + "A dynamic SQL query is not necessary for the login function to work.  Change login "
-			    + "to use a parameterized query to protect against malicious SQL in the query parameters.";
+		    instructions = "Block SQL Injection using a Parameterized Query.<br>"
+			    + "Implement a fix to block SQL injection into the fields in question on the Login page. "
+			    + "Repeat stage 1.  Verify that the attack is no longer effective.";
 		}
 		else if (STAGE3.equals(stage))
 		{
-		    instructions = "Use Integer SQL Injection to bypass access control.<br>"
-			    + "The goal here is to view the CEO's employee profile, again, even with data access "
-			    + "control checks in place from a previous lesson.  "
-			    + "As before, you do not have the password, but the form is SQL injectable.";
+		    instructions = "Execute SQL Injection to bypass authorization.<br>"
+			    + "As regular employee 'Larry', use SQL injection into a parameter of the View function "
+			    + "(from the List Staff page) to view the profile of the boss ('Neville').";
 		}
 		else if (STAGE4.equals(stage))
 		{
-		    instructions = "Use a parameterized query again.<br>"
-			    + "Change the ViewProfile function to use a parameterized query to protect against "
-			    + "malicious SQL in the numeric query parameter.";
+		    instructions = "Block SQL Injection using a Parameterized Query.<br>"
+			    + "Implement a fix to block SQL injection into the relevant parameter. "
+			    + "Repeat stage 3.  Verify that access to Neville’s profile is properly blocked.";
 	    }
 	}